diff --git a/packages/aws-cdk-lib/aws-cognito/lib/user-pool-idps/oidc.ts b/packages/aws-cdk-lib/aws-cognito/lib/user-pool-idps/oidc.ts index c17b48a799bdc..3f7bcf22d85fb 100644 --- a/packages/aws-cdk-lib/aws-cognito/lib/user-pool-idps/oidc.ts +++ b/packages/aws-cdk-lib/aws-cognito/lib/user-pool-idps/oidc.ts @@ -1,7 +1,7 @@ import { Construct } from 'constructs'; import { UserPoolIdentityProviderProps } from './base'; import { UserPoolIdentityProviderBase } from './private/user-pool-idp-base'; -import { Names, Token } from '../../../core'; +import { Names, SecretValue, Token } from '../../../core'; import { CfnUserPoolIdentityProvider } from '../cognito.generated'; /** @@ -14,9 +14,17 @@ export interface UserPoolIdentityProviderOidcProps extends UserPoolIdentityProvi readonly clientId: string; /** - * The client secret + * The client secret as a plain text string. Exactly one of clientSecret or clientSecretValue has to be provided. + * @default none + * @deprecated use clientSecretValue instead */ - readonly clientSecret: string; + readonly clientSecret?: string; + + /** + * The client secret read from a @SecretValue. Exactly one of clientSecret or clientSecretValue has to be provided. + * @default none + */ + readonly clientSecretValue?: SecretValue; /** * Issuer URL @@ -109,13 +117,19 @@ export class UserPoolIdentityProviderOidc extends UserPoolIdentityProviderBase { const scopes = props.scopes ?? ['openid']; + //at least one of the properties must be configured + if ((!props.clientSecret && !props.clientSecretValue) || + (props.clientSecret && props.clientSecretValue)) { + throw new Error('Exactly one of "clientSecret" or "clientSecretValue" must be configured.'); + } + const resource = new CfnUserPoolIdentityProvider(this, 'Resource', { userPoolId: props.userPool.userPoolId, providerName: this.getProviderName(props.name), providerType: 'OIDC', providerDetails: { client_id: props.clientId, - client_secret: props.clientSecret, + client_secret: props.clientSecretValue ? props.clientSecretValue.unsafeUnwrap() : props.clientSecret, authorize_scopes: scopes.join(' '), attributes_request_method: props.attributeRequestMethod ?? OidcAttributeRequestMethod.GET, oidc_issuer: props.issuerUrl, diff --git a/packages/aws-cdk-lib/aws-cognito/test/user-pool-idps/oidc.test.ts b/packages/aws-cdk-lib/aws-cognito/test/user-pool-idps/oidc.test.ts index 9e37c7a02e411..981648f8ef3c7 100644 --- a/packages/aws-cdk-lib/aws-cognito/test/user-pool-idps/oidc.test.ts +++ b/packages/aws-cdk-lib/aws-cognito/test/user-pool-idps/oidc.test.ts @@ -1,5 +1,5 @@ import { Template } from '../../../assertions'; -import { Stack } from '../../../core'; +import { SecretValue, Stack } from '../../../core'; import { ProviderAttribute, UserPool, UserPoolIdentityProviderOidc } from '../../lib'; describe('UserPoolIdentityProvider', () => { @@ -226,5 +226,35 @@ describe('UserPoolIdentityProvider', () => { ProviderName: 'oidcoidcoidcoidccoidcoidcoidcxyz', }); }); + + test('throws with invalid param combination when clientSecret and clientSecretValue are passed', () => { + // GIVEN + const stack = new Stack(); + const pool = new UserPool(stack, 'userpool'); + + // THEN + expect(() => new UserPoolIdentityProviderOidc(stack, 'userpoolidp', { + userPool: pool, + name: 'xy', + clientId: 'client-id', + clientSecret: 'client-secret', + clientSecretValue: SecretValue.unsafePlainText('client-secret'), + issuerUrl: 'https://my-issuer-url.com', + })).toThrow(/Exactly one of "clientSecret" or "clientSecretValue" must be configured./); + }); + + test('throws with invalid param combination when neither clientSecret nor clientSecretValue are passed', () => { + // GIVEN + const stack = new Stack(); + const pool = new UserPool(stack, 'userpool'); + + // THEN + expect(() => new UserPoolIdentityProviderOidc(stack, 'userpoolidp', { + userPool: pool, + name: 'xy', + clientId: 'client-id', + issuerUrl: 'https://my-issuer-url.com', + })).toThrow(/Exactly one of "clientSecret" or "clientSecretValue" must be configured./); + }); }); });